User Expectations
in Mobile App Security
Tao XieJoint Work w/ Wesley Brooks, Wing Lam, Davis Li, David Yang, Carl Gunter, ChengXiang Zhai (Illinois)
Benjamin Andow, William Enck (NCSU)
Collaborating SoS Lablet PIs:
Sean Smith (Dartmouth), Ross Koppel (U Penn),
Jim Blythe (USC)
NSA SoS Lablet, NSF Medium CNS-1513939,
Google Faculty Research Award
Mobile App Markets
Apple App Store Google Play Microsoft Windows Phone
App Store beyond Mobile Apps!
+++++++++++++++++++++
++• tempMobile apps can access a wealth
of sensitive data and sensors
Acknowledgment: Slide adapted from Haoyu Wang’s
“Conceptual” Model
5
APP DEVELOPERS
APP USERS
App
Functional
Requirements
App Security
Requirements
User
Functional
Requirements
User Security
Requirements
informal: app description, etc. permission list, etc.
App Code
App Code
Informal App Functional Requirements:
App Description
6
App
Code
App
Permissions
App Security Requirements:
Permission List
7
“Conceptual” Model
8
APP DEVELOPERS
APP USERS
App
Functional
Requirements
App Security
Requirements
User
Functional
Requirements
User Security
Requirements
informal: app description, etc. permission list, etc.
App Code
Example Andriod App: Angry Birds
9
It is NOT that People Don’t Care
http://www.businessinsider.com/app-permission-agreements-privacy-video-2015-2
“Conceptual” Model
11
APP DEVELOPERS
APP USERS
App
Functional
Requirements
App Security
Requirements
User
Functional
Requirements
User Security
Requirements
informal: app description, etc. permission list, etc.
App Code
oFocus on permission app descriptions
o permissions (protecting user understandable resources)
should be discussed
o What does the users expect (w.r.t. app functionalities)?
o GPS Tracker: record and send location
o Phone-Call Recorder: record audio during phone call
WHYPER: Text Analytics for Mobile Security
12
App Description SentencePermission
Linkage
Pandita et al. WHYPER: Towards Automating Risk Assessment of Mobile Applications. USENIX Security 2013
http://web.engr.illinois.edu/~taoxie/publications/usenixsec13-whyper.pdf
WHYPER Overview
Application Market
WHYPER
DEVELOPERS
USERS 13Pandita et al. WHYPER: Towards Automating Risk Assessment of Mobile Applications. USENIX Security 2013
http://web.engr.illinois.edu/~taoxie/publications/usenixsec13-whyper.pdf
• Enhance user experience while installing apps
• Enforce functionality disclosure on developers
• Complement program analysis to ensure justifications
Natural Language Processing on App Description
14
• “Also you can share the yoga exercise to your friends via Email and SMS.”
– Implication of using the contact permission
– Permission sentences
• Confounding effects:
– Certain keywords such as “contact” have a confounding meaning
– E.g., “... displays user contacts, ...” vs “... contact me at [email protected]”.
• Semantic inference:
– Sentences describe a sensitive action w/o referring to keywords
– E.g., “share yoga exercises with your friends via Email and SMS”
NLP + Semantic Graphs/Ontologies Derived from Android API Documents
• Synonym analysis• Ex non-permission sentence: “You can now turn recordings into
ringtones.”• functionality that allows users to create ringtones from previously recorded
sounds but NOT requiring permission to record audio
• false positive due to using synonym: (turn, start)
• Limitations of Semantic Graphs• Ex. permission sentence: “blow into the mic to extinguish the
flame like a real candle” • false negative due to failing to associate “blow into” with “record”
• Automatic mining from user comments and forums
Challenges
15
Not All Malware Developers Are “Dumb” or “Lazy”
16
Example Malicious App
17
http://www.which.co.uk/consumer-rights/problem/im-being-charged-for-unwanted-premium-rate-text-messages
Example Malicious App
18
http://www.which.co.uk/consumer-rights/problem/im-being-charged-for-unwanted-premium-rate-text-messages
Example Malicious App
19
Not All Malware Developers Are “Dumb” or “Lazy”
Benign? Malicious?
Insight by Other Researchers
• Stealthy behaviors in Android apps
Premium rate
Phone number
Malicious Web
site
Send SMS to
Send request to
Respond with malicious app
You didn’t
see me
Huang et al. AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. ICSE 2014.
https://www.cs.purdue.edu/homes/xyzhang/Comp/icse14_2.pdf Acknowledgment: slide adapted from AsDroid authors’
Motivation: Stealthy App Behaviors
• 52-64% of existing malwares send stealthy premium rate
SMS messages or make phone calls [Felt et al. SPSM’11, Zhou et
al. S&P’12]
• Stealthy HTTP requests are also very common
undesirable behaviors in malware [Felt et al. SPSM’11]
– A kind of malware making stealthy HTTP connections caused
8 million dollars loss in March 2010 in China [news in SINA.com]
Acknowledgment: slide adapted from AsDroid authors’
Motivating Example
public class RegLoginListener implements OnClickListener {
public void onClick(View view) {
String uid = ...;
String pass = ...;
if (pref. getBoolean("registered", false)) {
LoginTask.doLogin(uid, pass);
} else {
sendRegisterSms(getPhoneNumber());
doRegister(uid, pass);
...
}
}
}
Acknowledgment: slide adapted from AsDroid authors’
Motivating Examplepublic class RegLoginListener implements OnClickListener {
public void onClick(View view) {
String uid = ...;
String pass = ...;
if (pref. getBoolean("registered", false)) {
LoginTask.doLogin(uid, pass);
} else {
sendRegisterSms(getPhoneNumber());
doRegister(uid, pass);
...
}
}
private void sendRegisterSms(String phoneNum) {
String msg = String.format("Register Phone: %s",
phoneNum);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage("106053", null, msg, null, null);
}
}
public class LoginTask extends AsyncTask {
protected String doInBackground(String... params) {
http.execute(get); // http & get are fields
}
public static void doLogin(String uid, String pass) {
LoginTask login = new LoginTask();
String[] params = new String[] { uid, pass };
login.execute(params);
}
}
RegLoginListener.onClick()
LoginTask.doLogin() sendRegisterSms()
LoginTask.execute()
SmsManager.sendTextMessage()
LoginTask.doInBackground()
indirect call
Acknowledgment: slide adapted from AsDroid authors’
HttpClient.execute()
AsDroid Approach
RegLoginListener.onClick()
HttpAccess
SendSms
Code behaviors
Correlation Analysis
UI Text
HttpAccess
SendSms
Acknowledgment: slide adapted from AsDroid authors’
Our Own Insight
Different goals of benign apps vs. malware.
• Benign apps– Meet requirements from users (as delivering utility)
• Malware– Trigger malicious behaviors frequently (as maximizing profits)
– Evade detection (as prolonging lifetime)
26
Differentiating characteristics
Mobile malware (vs. benign apps)
– Frequently enough to meet the need: frequent occurrences of imperceptible system events;
• E.g., many malware families trigger malicious behaviors via background events.
– Not too frequently for users to notice anomaly: indicativestates of external environments
• E.g., Send premium SMS every 12 hours
Balance!!!
ActionReceiver.OnReceive()Date date = new Date();
if(data.getHours>23 || date.getHours< 5 ){
ContextWrapper.StartService(MainService);
…
MainService.OnCreate()
DummyMainMethod()
SendTextActivity$4.onClick()SplashActivity.OnCreate()
SmsManager.sendTextMessage()
long last = db.query(“LastConnectTime");
long current = System.currentTimeMillis();
if(current – last > 43200000 ){
SmsManager.sendTextMessage();
db.save(“LastConnectTime”, current);
…
SendTextActivity$5.run()MainService.b()
ContextWrapper.StartService()
The app will send an SMS when
• user clicks a button in the app
Example of malicious app
SendTextActivity$4.onClick
SmsManager.sendTextMessage
ActionReceiver.OnReceive()Date date = new Date();
if(data.getHours>23 || date.getHours< 5 ){
ContextWrapper.StartService(MainService);
…
MainService.OnCreate()
DummyMainMethod()
SendTextActivity$4.onClick()SplashActivity.OnCreate()
SmsManager.sendTextMessage()
long last = db.query(“LastConnectTime");
long current = System.currentTimeMillis();
if(current – last > 43200000 ){
SmsManager.sendTextMessage();
db.save(“LastConnectTime”, current);
…
SendTextActivity$5.run()MainService.b()
ContextWrapper.StartService()
The app will send an SMS when
• phone signal strength changes
(frequent)
• current time is within 11PM-5 AM
(not too frequent, User not around)
Example of malicious app
if(data.getHours>23 || date.getHours< 5 ){
Android.intent.action.SIG_STR
ActionReceiver.OnReceive()
Date date = new Date();
if(data.getHours>23 || date.getHours< 5 ){
ContextWrapper.StartService(MainService);
…
MainService.OnCreate()
DummyMainMethod()
SendTextActivity$4.onClick()SplashActivity.OnCreate()
SmsManager.sendTextMessage()
long last = db.query(“LastConnectTime");
long current = System.currentTimeMillis();
if(current – last > 43200000 ){
SmsManager.sendTextMessage();
db.save(“LastConnectTime”, current);
…
SendTextActivity$5.run()MainService.b()
ContextWrapper.StartService()
The app will send an SMS when
• user enters the app (frequent)
• (current time – time when last msg
sent) >12 hours (not too frequent)
Example
if(current – last > 43200000 ){
AppContext
• Capture differentiating characteristics
with contexts of security-sensitive
behavior.
• Leverage contexts in machine
learning (classification) to differentiate
malware and benign apps.
Yang et al. AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts. ICSE 2015.
http://taoxie.cs.illinois.edu/publications/icse15-appcontext.pdf
Different Insight by Other Researchers
Attackers like to piggyback the same attack
payload to different legitimate apps.
Chen et al. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. USENIX Security
2015. https://www.usenix.org/node/190925 Acknowledgment: slide adapted from Kai Chen’s
http://www.appomicsec.com
Results of Repackaging
Compare related apps,
check “different” code
Acknowledgment: slide adapted from Kai Chen’s
Results of Repackaging
Detect code intersection
in apps with unrelated
apps
Acknowledgment: slide adapted from Kai Chen’s
MassVet approach: DiffCom Analysis
Sim-View
Analysis
No
Yes Diff Analysis
Com Analysis
Suspicious?
Acknowledgment: slide adapted from Kai Chen’s
MassVet: Diff Analysis• For apps having the same view and different signatures,
the different methods between the two apps may be malicious
• Challenge 1: How to quickly compare two apps and find the different methods?
• Challenge 2: Are the different methods malicious?
Chen et al. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. USENIX Security
2015. https://www.usenix.org/node/190925 Acknowledgment: slide adapted from Kai Chen’s
MassVet: Com Analysis
• For the apps with different views, find the common code
• Challenge 1: Are the two apps really unrelated?
• Challenge 2: Is the common code really malicious?
Chen et al. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. USENIX Security
2015. https://www.usenix.org/node/190925 Acknowledgment: slide adapted from Kai Chen’s
Putting Pieces Together
39
APP DEVELOPERS
APP USERS
App
Functional
Requirements
App Security
Requirements
User
Functional
Requirements
User Security
Requirements
informal: app description, etc. permission list, etc.
App Code
App Code
WHYPER
AsDroid
AppContext
MassVet
http://www.scmagazineuk.com/chinese-android-smartphones-now-shipping-
with-pre-installed-malware/article/436631/
Pre-Installed Apps/Malware
http://thehackernews.com/2015/09/android-smartphone-malware.html
Pre-Installed Apps/Malware: Middlemen
• “According to the G Data researchers, there is unlikely to have
been anything accidental about the malware it discovered pre-
installed on at least 26 different smartphones from
manufacturers including Huawei, Lenovo and Xiaomi.”
• “Which isn't to say the security firm thinks that the
manufacturers are the perpetrators here, far from it. In fact, G
Data reckons it is down to 'middlemen' in the distribution
chain who are looking to add to their revenue by making
"additional financial gains from stolen user data and enforced
advertising".”
http://www.scmagazineuk.com/chinese-android-smartphones-now-shipping-
with-pre-installed-malware/article/436631/
Pre-Installed Apps/Malware: Removal
http://www.gsmarena.com/samsung_lets_users_delete_preinstalled_apps_in_china_in_light_of_lawsuit-blog-13348.php
http://thehackernews.com/2015/09/android-smartphone-malware.html
Internet of Things Security: Mobile or Not
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
Internet of Things Security: Mobile or Not
• “The cameras are vulnerable because they use the Real Time
Streaming Protocol (RTSP, port 554) to share video but have
no password authentication in place. The image feed is
available to paid Shodan members at images.shodan.io. Free
Shodan accounts can also search using the filter port:554
has_screenshot:true.”
• “Shodan crawls the Internet at random looking for IP
addresses with open ports. If an open port lacks
authentication and streams a video feed, the new script takes
a snap and moves on.”
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
Internet of Things Security:
The curse of the minimum viable product
• “Tentler told Ars that webcam manufacturers are in a race to
bottom. Consumers do not perceive value in security and
privacy. As a rule, many have not shown a willingness to pay
for such things. As a result, webcam manufacturers slash
costs to maximize their profit, often on narrow margins. Many
webcams now sell for as little as £15 or $20.”
• “"The consumers are saying 'we're not supposed to know
anything about this stuff [cybersecurity]," he said. "The
vendors don't want to lift a finger to help users because it
costs them money."”
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
(Mobile) Privacy vs. Utility: A Balancing Act
• A likely scenario for a professor– Student A: “May I record our 1-on-1 meeting so that I don’t miss anything?”
– Professor: “Hmmhh… OK… but please don’t post it on public domain or
redistribute it…”
– Hopefully….
• Mobile utility apps: app store management, Input method,
IME (input method editor)
– even non-mobile ones: medical devices, search engines, ….
• Assurance case for privacy policy compliance by app or
service providers
Sen et al. Bootstrapping Privacy Compliance in Big Data Systems, Oakland 2013.
http://research.microsoft.com/apps/pubs/default.aspx?id=208626
User Expectations in Mobile App Security
47
APP DEVELOPERS
APP USERS
App
Functional
Requirements
App Security
Requirements
User
Functional
Requirements
User Security
Requirements
informal: app description, etc. permission list, etc.
App Code
App Code
WHYPER
AsDroid
AppContext
MassVet
User Expectations in Mobile App Security
48
APP DEVELOPERS
APP USERS
App
Functional
Requirements
App Security
Requirements
User
Functional
Requirements
User Security
Requirements
informal: app description, etc. permission list, etc.
App Code
App Code
WHYPER
AsDroid
AppContext
MassVet
NSA SoS Lablet, NSF Medium CNS-1513939,
Google Faculty Research Award